Tricking BuildKit into Removing Host Files
CVE-2024-23652

9.1CRITICAL

Key Information:

Vendor

moby

Status
buildkit
Vendor
CVE Published:
31 January 2024

What is CVE-2024-23652?

A vulnerability exists in BuildKit, a toolkit for converting source code into build artifacts. This security flaw arises when a maliciously crafted BuildKit frontend or Dockerfile using the RUN --mount feature is executed, leading to potential unauthorized removal of files from the host system rather than just the container. Versions of BuildKit prior to v0.12.5 are impacted by this issue. Developers are advised to avoid using BuildKit frontends sourced from untrusted origins and to exercise caution when building Dockerfiles that utilize the RUN --mount directive. The issue has been addressed in BuildKit version 0.12.5.

Affected Version(s)

buildkit < 0.12.5

References

https://github.com/moby/buildkit/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/moby/buildkit/pull/4603
x_refsource_MISC
https://github.com/moby/buildkit/releases/tag/v0.12.5
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.